Receipt of an invalid XMPP Jingle "session-initiate" iq missing certain fields causes libpurple to dereference a NULL pointer.

Paul Aurich paul at
Fri Dec 2 01:40:08 EST 2011

And Paul Aurich spoke on 10/24/2011 07:48 PM, saying:
> On Sun, Oct 23, 2011 at 11:49:17PM +0200, Thijs Alkemade wrote:
>> Hello all,
> <snip/> (missing "media" attr on "description" element)
> <snip/> (missing "creator" on "content" element)
>> According to the spec
>> (, a
>> "<description>" element is required to have a "media" attribute, but
>> that is missing here.
>> libpurple/protocols/jabber/jingle/rtp.c:jingle_rtp_parse_codecs()
>> checks with strcmp if the media attribute is "video" or "audio", but
>> that means it will crash if it is NULL. Also, "<content>" is required
>> to have a "creator", but excluding that also causes a similar crash
>> with strcmp in jingle_rtp_init_media().


> Yep, thanks for reporting these.  I audited further strcmp uses, and
> believe the following will also crash (some tested, but constructing
> one side of a Jingle flow by hand [on the fly] is painful)
>    * jingle_handle_content_modify ('senders' is NULL, requires some
>      valid Jingle data structs locally)
>    * jingle_session_find_content() (called in most of the
>      jingle_handle_content_* functions), if 'name' attribute is missing
>    * jingle_session_find_pending_content() (via content-accept and
>      content-reject)
> All the other uses I looked at didn't appear to be crashers.  I would
> still like to replace all with purple_strequal (except where relatively
> obvious that something is not-NULL or it's more appropriate to
> explicitly handle NULLs first, like in jingle_rtp_init_media)
> jingle_rtp_init_media also appears to be leaking memory and refs to the
> JingleSession under error conditions.  I need to look into that further.

Thanks, Mark, for nudging me about this.

I'd like to propose the attached patch, which fixes the two crashes Thijs
identified and the others I noticed.

I'm not certain about the exit cases in jingle_rtp_init_media (the exit
cases in jingle_rtp_init_media may need to be calling purple_media_end(),
or conversely, the one that calls purple_media_end() may need to be
free/unref:ing some things.)  Regardless, crashing bad, and this should no
longer crash.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proposed-jingle-crash-fix.patch
Type: text/x-patch
Size: 5705 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the security mailing list